CVEs are being added this year at a rate of more than 300 per week on average. If that pace holds, the total should rise by another 2,000 CVEs by year’s end. This means that the vulnerability rate is nearly triple what it was 10 years ago. What does the continuously rising total mean for companies that develop and bring to market embedded systems in this environment?

Vulnerability Management for Product Developers

From a product line management point of view, vulnerability management entails tracking and responding to vulnerabilities that affect your products, both those still in development and those already on the market. So, depending on your particular type of product, this may include the continuous monitoring of vulnerabilities such as in a vulnerability database, tracking security patches issued by component suppliers, and putting in place mitigation to cut the risk of a vulnerability being exploited.

Strictly speaking, the CVE listing published by MITRE is not a vulnerability database like the NIST National Vulnerability Database or the proprietary vulnerability databases offered by some companies. In contrast to standard vulnerability databases, MITRE’s CVE listing doesn’t contain detailed information about the risk associated with a given vulnerability or the mitigation of it. Instead, the CVE list acts as an index of known vulnerabilities that can permit organizations to link these vulnerabilities to the systems that can be affected, so that appropriate mitigate steps, patches and other responses can be planned, coordinated and executed quickly.

You can look at the CVE as a common repository of vulnerability details that should be a jumping off point for your more involved vulnerability management process.

Best Practices for More Secure Products

To that end, here are the best practices that our customers follow in vulnerability management:

With the majority of products on the market incorporating many different software components, including many open source components, this means a lot of data sources need to be tracked and monitored on a continuous basis.

2. Vulnerability filtering

Only a fraction of the vulnerabilities being publicly disclosed will likely apply to your products, so a portion of your vulnerability management process should focus on sifting through the reported security issues to narrow your focus to those that pertain to the components in your products and the affected versions of those components.

Naturally, to properly analyze this, you also need to have a clear and accurate inventory of components in your products, such as a software bill of materials produced by an open source software scan and analysis.

For the purposes of product line management, the process of vulnerability assessment means analyzing your identified vulnerabilities, evaluating the known exploits that take advantage of them, and then assessing the risk and impact of a security breach that could result.

So your assessment will focus on questions such as whether the affected component is exposed to external access and could be exploited by an attacker.

4. Mitigation

Mitigation involves determining how a vulnerability that poses a security risk can be eliminated or addressed on at least a temporary basis to lessen the breach exposure for your customers. This means mitigation may involve modification of a device configuration in production, a security patch or even a customer advisory directing temporary suspension of product usage until a patch is available.

5. Patch management

Ultimately a large percentage of vulnerabilities result in the product manufacturer or software component maker issuing a security patch. So patch management is an important part of security maintenance and it should be aligned to the rest of your vulnerability management process.

So, for example, the immediate mitigation of a product with a serious security vulnerability representing a high chance of a breach may be to take it out of production deployment until a patch can be applied.

Our Threat Resistance Security Technology (TRST) Product Protection Solutions will assist you with cutting through the continuing storm of vulnerabilities to focus on those that matter to you and your customers.

Adam Boone is VP of Marketing at Timesys. Over two decades, Adam has launched more than 50 solutions in networking, cybersecurity, enterprise applications, telecom and other technology areas. He completed his MBA in Business Strategy at Arizona State and the Marketing Strategy Program at Penn’s Wharton School.

About Timesys

Timesys has extensive experience with embedded system development and lifecycle management. Timesys has been instrumental in working with global leader semiconductor manufacturers with smart, quick and quality solutions for highly complex systems with accelerated product innovation and multiple product variants.

This website uses cookies to understand how you use our site and to improve your experience. By continuing to use our site, you accept our use of cookies, Privacy Policy and Terms of Use. To avoid the collection of cookie-based information, you can visit this site with cookies turned off in your browser.